I'd like to be notified via email if our Linux servers are under any kind of hacking attempt or service attack. Is there some kind of all-in-one solution that can monitor for suspicious activity and send reports of said activity to an email address?

This question exists because it has historical significance, but it is not considered a good, on-topic question for this site, so please do not use it as evidence that you can ask similar questions here. This question and its answers are frozen and cannot be changed. More info: help center.

15 Answers
15

If you're worried about attacks, simple monitoring isn't enough. Imagine an attack comes in at 2am, or whenever you're off the clock and asleep. How many password guesses can be made before you check your email?

I do log monitoring with logwatch to look for suspicious login activity. I have the system locked down pretty tight so I mostly "catch" our security office doing their regular scans. There's also an open source version of TripWire that would be useful for monitoring changes to selected files, though this is only useful after they've broken in to let you know what's been compromised.

Takes a bit of configuring and then tuning to minimize false alerts (or to address problems), but there are many tools available to help with that. There are also websites where you can subscribe to new sets of "rules", in order to keep on top of the latest hacks.

Along with that you might want to use snort log analyzers such as base or acid. I think there's also an all-in-one gui solution called sguil as well, that you might want to look at.

I think you may want to rethink being alerted for every unsuccessful hacking attempt. If you want an e-mail every time someone pokes around looking for a vulnerability, you are probably in for quite a deluge.

Four Linux computers with vulnerable passwords were left online for 24 hours to determine the trend of attacks on them. This was the preparation a researcher made to conduct a study at the University of Maryland. According to his observation, the computers received 270,000 hacking attempts. That comes to one attempt per 39 seconds.

One would think that you'd start with a reasonably secure configuration that would reject a lot of this traffic without tripping the sensor. For instance, my SSH configuration limits connections to a single network so I never see the login attempts from outside in my log -- they don't make it that far.
–
tvanfossonMay 1 '09 at 20:10

Well the OP did say "any kind of hacking attempt", not just those that have any chance of success.
–
Chris UpchurchMay 1 '09 at 20:14

If you are running with selinux enabled, and you have setroubleshoot running, then any attack that gets past the normal defenses will trigger a popup. I've had one attack make it this far and get shut down by selinux and if it weren't for the alert I would have had no idea. A little research from the alert brought me to the advisory for the package in question, which I didn't need so I uninstalled it.

Have a look at ossim, it's an OpenSource IDS/Analysis system for *nix server's has event correlation, and connection tracking, and session monitoring, plus gives you a nice overview view of your current security level.

I use a combination of Denyhosts, Logwatch, and restrictive firewalls on my Linux servers.

First of all, NEVER let Denyhosts send you individual emails for every IP it blocks. If you get hit by a botnet SSH attack (as my personal server has successfully weathered several times), that'll mean way too many notifications. If LogWatch is configured correctly, it will include a report of the denyhosts activity in the daily email. If you keep it at the default of Service = All, this should happen automatically.

Additionally, create a text file called .forward in root's home directory on your server. In it, put the address of where you'd like it to forward root's emails. Even if you've only got a few servers, it's much easier to get all the daily LogWatch messages in one place than it is to log into each one individually and use "Mail".

Finally, on sensitive work machines, I have iptables set up to block all traffic except for IP addresses I've specifically whitelisted. Traffic from the local VLAN is unrestricted, and I have a bash script that builds my iptables rules and whitelists certain IPs based on configuration files. (This is much easier than trying to maintain your whitelists in the script itself.) It's extensible enough for me to create whitelists for any port and/or protocol on the fly as necessary: for example, tcp_22_access contains the IPs for which SSH access is permitted.

Every software package I've used has already been listed, but I just wanted to bring up a point about your second request:

Do you really want to be emailed every time you get hit with an automated attack?

Any time you set something up to notify you instantly via email or sms, ask yourself two questions:

What can I do in response to this notification, and when wont I do that?
If you'll respond the same way every time, you should probably be using a trigger system like Fail2Ban (blacklisting IPs for failed logins automatically).
If you'll never immediately respond to a notification, then it's probably better as either a daily digest email or just a log in an alert system somewhere.

Keep the signal to noise ratio high in any sort of alert based system. If you get 5-10 emails a day letting you know about some mundane 'attack' that you do nothing about, its a lot easier to let something important slip through the cracks.